-
Notifications
You must be signed in to change notification settings - Fork 43
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Use customer's certificate signed by CA (#291)
* added secret with predefined customer's certificates and private key * documentation: added secret with predefined customer's certificates and private key * update according to comments * remove jenkins-x-vault name with suffix Co-authored-by: Andriy Pentsak <[email protected]>
- Loading branch information
1 parent
b10a2bb
commit 63feaaa
Showing
10 changed files
with
107 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -227,6 +227,8 @@ The following sections provide a full list of configuration in- and output varia | |
| subdomain | The subdomain to be added to the apex domain. If subdomain is set, it will be appended to the apex domain in `jx-requirements-eks.yml` file | `string` | `""` | no | | ||
| subnets | The subnet ids to create EKS cluster in if create\_vpc is false | `list(string)` | `[]` | no | | ||
| tls\_email | The email to register the LetsEncrypt certificate with. Added to the `jx-requirements.yml` file | `string` | `""` | no | | ||
| tls\_key | The customer's private key that he got from some CA. It could be as base64 encrypted content or path to file. | `string` | `""` | no | | ||
| tls\_cert | The customer's certificate that he got from some CA. It could be as base64 encrypted content or path to file. | `string` | `""` | no | | ||
| use\_asm | Flag to specify if AWS Secrets manager is being used | `bool` | `false` | no | | ||
| use\_kms\_s3 | Flag to determine whether kms should be used for encrypting s3 buckets | `bool` | `false` | no | | ||
| use\_vault | Flag to control vault resource creation | `bool` | `true` | no | | ||
|
@@ -407,6 +409,22 @@ You can choose to use the `production` environment with the `production_letsencr | |
|
||
You need to provide a valid email to register your domain in LetsEncrypt with `tls_email`. | ||
|
||
### Customer's CA certificates | ||
|
||
Customer has got signed certificates from CA and want to use it instead of LetsEncrypt certificates. Terraform creates k8s `tls-ingress-certificates-ca` secret with `tls_key` and `tls_cert` in `default` namespace. | ||
User should define: | ||
``` | ||
enable_external_dns = true | ||
apex_domain = "office.com" | ||
subdomain = "subdomain" | ||
enable_tls = true | ||
tls_email = "[email protected]" | ||
// Signed Certificate must match the domain: *.subdomain.office.com | ||
tls_cert = "/opt/CA/cert.crt" | ||
tls_key = "LS0tLS1C....BLRVktLS0tLQo=" | ||
``` | ||
|
||
### Velero Backups | ||
|
||
This module can set up the resources required for running backups with Velero on your cluster by setting the flag `enable_backup` to `true`. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
module "eks-jx" { | ||
source = "jenkins-x/eks-jx/aws" | ||
|
||
enable_external_dns = true | ||
apex_domain = "office.com" | ||
subdomain = "subdomain" | ||
enable_tls = true | ||
tls_email = "[email protected]" | ||
|
||
// Signed Certificate must match the domain: *.subdomain.office.com | ||
tls_cert = var.tls_cert | ||
tls_key = var.tls_key | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
output "jx_requirements" { | ||
value = module.eks-jx.jx_requirements | ||
description = "The templated jx-requirements.yml" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
// ----------------------------- | ||
// Customer's Certificates | ||
// ----------------------------- | ||
// | ||
// tls_key and tls_cert can be as path to file or base64-encrypted content | ||
// | ||
|
||
variable "tls_key" { | ||
description = "Path to TLS key or base64-encrypted content" | ||
type = string | ||
default = "/opt/cert_ca/private.key" | ||
} | ||
|
||
variable "tls_cert" { | ||
description = "Path to TLS certificate or base64-encrypted content" | ||
type = string | ||
default = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVIakNDQWdZQ0ZHWDBOZWVTbXpSaTRYSEtmL1VWMVlPcjdQUStNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1FVXgKQ3pBSkJnTlZCQVlUQWtGVk1STXdFUVlEVlFRSURBcFRiMjFsTFZOMFlYUmxNU0V3SHdZRFZRUUtEQmhKYm5SbApjbTVsZENCWGFXUm5hWFJ6SUZCMGVTQk1kR1F3SGhjTk1qRXdPREV5TURjek9ERXhXaGNOTWpJeE1qSTFNRGN6Ck9ERXhXakJTTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRUNBd0NRMEV4RlRBVEJnTlZCQW9NREU5bVptbGoKWlN3Z1NXNWpMakVmTUIwR0ExVUVBd3dXS2k1emRXSmtiMjFoYVc0dWIyWm1hV05sTG1OdmJUQ0NBU0l3RFFZSgpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLL0JYdXZKREhrM20xektzWFJHcTJQOFAwdURZeEVHCnB6bXV2RTlXNENCRXJiVi9NdzE2N3puMzB0T3Z4NTNxSjZwazFPMW1ReDRjSFFQbmNTYSt1T1M0LzhHdllzcnIKT1hOZWp4ZVRiUE9mNDNveUQ4bS9vT0J3K0xrc3ZjbWVsR0RZWnlRVmdGZk9DbTdsVEVCUG5zRG4xK0VYdlpQWQpjL3lMeDJmZ1BWTC91Z2FFN2hqL2V0VVhEemdrZGs4di9ZcWp2MVltQlcvaUxuN1A4bFZyRklHNDZ1TmZYcDdZCmUxcWZMZTZPRGE3NEhMTmVOMEFreGlnV1pVZHRTeHI4dk9iQS90VFhCQWR3UmJhY3RONVdhVllXWVJ0YzRrN08KUFBWSDQzQ2gwU3dCQWVwOWdHb2tGbzBSWkY2dmRScHp5SWdmTUsrNVVFM0lGLzRRUHh2c3F6TUNBd0VBQVRBTgpCZ2txaGtpRzl3MEJBUXNGQUFPQ0FnRUFubktjWVlOU0VGeUZXalNTcHZuKy8vd1I4dWpNakZjTnNLaDhiNjNWCklEWTIvWnpYdkZQWHpoZXpKYm9JNjB2ejJaazYxcmpuU2xBcVlDQ3BmYmwzRFBuNDZwa0plREdraFAwNElRQVUKeXRxcUNaT0p5SlBIdmJraTVRWTBsVmlaMnIxdFR2K2tZSE14YS9odFpDd3hiSHhsd1ZwRDZESjRDZTZCVHBJSAplbVNRRkpWY3dZbVB6bzVpeVR4YmoxelNCbmFpYTlKdXR0ampSZU5iMXZFY1RmdWErUVdKNE9sclh6anNTcEVwCkI4UTBWSjN4VmN1WjBSRk1tQTJEQ1pJemYxWWh3c05ObVRVdzUvUXlSbldEekdsM2tlQlFDNWR2Mkx0QS84TjkKNUxwdXI2RUEvMi93ZVJoMmx4V0FtbW84SnBWRW1PcHZmNG4yUURablp6SGtwMURHZVdUZ0JNMWVVNVBxWjlCVAp3KzNtcE9IYzZGOEF1Vk9iTnVUMXBmbEtNcG5BbEszZmFmL2hYdUdGcXhwUnlLOHkySC9DSDNYNVMxQitxdHhaCm0vOUt4L2V5QUVHenVHNVVhbmRnWWtWbWd2RkVCa1lONDkzcTNmT3hPM01IaFFHNStDOGFzdXVRZGxXWUxwd0YKVUZjU2ZEQ1Q1dExNNzNXd3RCbXUwQ0RtNjRIUnh6ZGJGY3ZqcGc0S1VnMGhOVDRHNDFTS2FZVkhnL3NuWG1QcQpQUmQ3OG54VzVPc1JxdlJIUThvNThTc1NCMldEelNNREhQMlhpemtIUGxUN3lVSmtFWVozMlNydC9OTDZGQXFwCmxSM1RXeEYrZHN0RWVJTFJUeWtHSHp3M3ZrRlFzZzBmc3UwUXRHVDl1WVpBVnNnMVpIRTY0WmM2TzNBNE4rbjEKM2tBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlGYXpDQ0ExT2dBd0lCQWdJVUdBTUVZUEVuV2p5Z0RRWVUrY2ZxcWgwSm9Ta3dEUVlKS29aSWh2Y05BUUVMCkJRQXdSVEVMTUFrR0ExVUVCaE1DUVZVeEV6QVJCZ05WQkFnTUNsTnZiV1V0VTNSaGRHVXhJVEFmQmdOVkJBb00KR0VsdWRHVnlibVYwSUZkcFpHZHBkSE1nVUhSNUlFeDBaREFlRncweU1UQTRNVEl3TnpNMU1UbGFGdzB5TkRBMgpNREV3TnpNMU1UbGFNRVV4Q3pBSkJnTlZCQVlUQWtGVk1STXdFUVlEVlFRSURBcFRiMjFsTFZOMFlYUmxNU0V3Ckh3WURWUVFLREJoSmJuUmxjbTVsZENCWGFXUm5hWFJ6SUZCMGVTQk1kR1F3Z2dJaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUNEd0F3Z2dJS0FvSUNBUUN0VXlQUWZOUEhvZWlWZjlSUkVjc25zUm1PMC94dTlra0xOcTlJbUhMSApSZmdFSWRRdnVEclJoYjZUc3NlcjkrL0FsSG5BbEtqRjVPajNwL0RramR4OW04dEhkL3JtYzRFWFBMS1ZBYnBmCkFIazVueE1jODRwaldCRmxyTVhaK2pqNjV2ZXdtYXEzT2IyZW5jc3lmbDZUdElaUnQzdVB6UVhZZFd6VndraGoKSUFwK3o0VGpVdkNNZ0RjU2pEVEFxc1hCTlI2b05JVThnUnpxd2dKNnF5U2E1U2tuU1ZoaS9FdFdJTjRKRTVmaQozek5WaUFETjJubkVWSXI5RlZYckZUd2hMamlZYVdNNWNKT2JDTHB6aE5LSFFuNmhjOVNrZ3Iwb1I0c1JwVFZBCkFVeWkzSGI1ODlEc0lDZnU2ZXl4MG9mL3Z6eHFUSXB6Y09FTUYvTHBSYVVKUHJvMG1qSHJsUWlXVGFoMVFnRXoKeUpzUkpHSjJLZ25mQ25YTC9WaThVZ09INEhrVTRvdDNSZnlmVjhJZDVDdHBrZGJwT3NGeWxlWU16dHVzZjZ3bwpldXJqQkJKeUJwcVZNci8xZlZBeG94T083UWlZVDNqOVh6WExaQ1R3NDVONzZIUlBOb2VXRElpRmM0M1N1aVVuCjBtM0lIclRnRGVLK1pvTnpqMzVhR3pxbDZKSGhBQmh6di9IelZmRC9vd0hrSSszbmpFZHl5dXlodHNwc0hlREYKNUFUWDNDRDZxSFhjQ0ZkY2hiNWlyMGFOdnlBdmJPYVZlT3QyWEdUaFRjcGQ4WDFYZHZSVUswTG5Ga1licUtrWgpzaElPdzZFK3VWVEhXNDdQYlg5ZjRPSllJdDdlNlo4K1gxL3RsQmRWdGI3VGZVeExZZnBGRytTUDNRZ2d4NXUyCkVRSURBUUFCbzFNd1VUQWRCZ05WSFE0RUZnUVVWNFpHdVFwRk41cEJRckFoTjEyb0JUa3J5K0l3SHdZRFZSMGoKQkJnd0ZvQVVWNFpHdVFwRk41cEJRckFoTjEyb0JUa3J5K0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQWdFQVdGTzNra2h6UnRhSG9FVEx3NUJ0RnQyV3prdHhPYUVCSUIrMHQ5YTR3SHd1ClUyQ0pxaElJSGhVR0JOaFhFaVNDODRzMkM1Z1F1UzJzSmxGMTU3RjVqNzVMbktlRXQ4NTlFeVBlRzc0eFVTOVkKWU1qSjMrYmljNGczZnhIcUZ0OFZVUm1RNmx4bTVINmxxVng3eW9ZYjRSWlBRamhySTd5b2tUVnlFTmdpRXdsNAorbVBDUWt4S1FOVC8wSFZrVDFQbDlWclcvTTZvck1rek56L2hDR2RqaUYvVmN6ekkrN1l4REdrclcvS2ZFT1E2CjZOdFRHdVpPajJHMWJyUjQ0QnZsN0VUWVFxU1gwaHhLSjVpbVhjNDhScW0yRHVTTXBZa0ZDQ1IrSkovNlM3cFYKUXVGOFdrL0lFbHlzSVJDV25pWWwxclRhOWE5bEttRlN0Z1R0ajVMcWh2TVhrbkhmdjdKb3ZRUFFESWhoMzF5WQpUOWorbC9GWW5pYlRvRWNuWFpHUDVXL1BCOHNWYTdTQjQzSnJ0b2YwaEVhL2c0YVVBcTJmVXBuVGZRRmhMdEc0Cm4vY3ZJY3lGbHFrb1NBVElzcEc5V04zOUVudGNuUWU2eU0zc1NGQjJuejd5bUZiRDU4WXVaOEVLY2NUYTIwY3oKZlpkemxpeDNrY1VJTmpGajVwUFRsR2UxVUlLVnJLQnozelJCaWIzRzM0ZkVqeVVybXJzWUpQR2dNdktKTnRzYQpGaWtOR1FLOGQ4SXUrZGNFRWFoUWFsNmdSZkk1cW9aZy9CTGw3bzFGRzhDVGVueEhPQ1NEYjFxQnJNQ3ZPMXY1CklZMzBUaFRzR0ljUmFRTHNXMG50S3BRZlFoT3d2TzZybzNSU0U0K3FkUFQxK3kwaGRvZzFCam1qOUVSTDBSST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
resource "kubernetes_secret" "tls" { | ||
count = var.tls_key == "" || var.tls_cert == "" ? 0 : 1 | ||
metadata { | ||
name = "tls-ingress-certificates-ca" | ||
namespace = "default" | ||
} | ||
|
||
data = { | ||
"tls.crt" = try(file(var.tls_cert), base64decode(var.tls_cert)) | ||
"tls.key" = try(file(var.tls_key), base64decode(var.tls_key)) | ||
} | ||
|
||
type = "kubernetes.io/tls" | ||
|
||
depends_on = [ | ||
module.eks | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters